========================================================================
=================================================
[EMAIL PROTECTED] more ippool-not-in-use.conf
#
# IP Pool 100 represents the Internet Network Elements that
# are sending their syslog messages to netlog1|netlog2
#
# The first two entries AAA.BBB.XXX.25/32, AAA.BBB.YYY.29/32
# are the Internet Data Centre Firewalls (fwsm1-tor and
# fwsm2-tor)
#
table role = ipf type = tree number = 100
{
AAA.BBB.XXX.25/32;
AAA.BBB.YYY.29/32;
EEE.FFF.0.0/24;
EEE.FFF.1.0/24;
EEE.FFF.2.0/24;
EEE.FFF.32.0/24;
EEE.FFF.64.0/24;
EEE.FFF.66.0/24;
EEE.FFF.67.0/24;
EEE.FFF.96.0/24;
HHH.III.80.0/24;
HHH.III.115.0/24;
BBB.CCC.65.0/24;
BBB.CCC.98.0/24;
VVV.WWW.14.0/24;
RRR.SSS.123.0/22;
RRR.SSS.124.0/24;
RRR.SSS.125.0/24;
RRR.SSS.126.0/24;
LLL.MMM.63.0/24;
AAA.BBB.XXX.0/22;
LLL.MMM.202.0/23;
LLL.MMM.223.0/24;
PPP.QQQ.54.0/24;
PPP.QQQ.158.0/24;
PPP.QQQ.174.0/24;
TTT.UUU.0.0/24;
NNN.OOO.32.0/24;
NNN.OOO.48.0/24;
NNN.OOO.64.0/22;
NNN.OOO.75.0/24;
NNN.OOO.96.0/22;
NNN.OOO.101.0/24;
NNN.OOO.128.0/23;
NNN.OOO.189.0/24;
NNN.OOO.224.0/23;
};
[EMAIL PROTECTED]
[EMAIL PROTECTED] more ipf.conf.using_pools
#IP Filter Configuration
#=======================
##############################################################
# INTERNAL INTERFACE - bge1 --> connection to private IDCnet #
##############################################################
#-----------------------------------------------------------------------
-----------------------------------
#INBOUND -- group 101
#--------------------
block in log quick on bge1 all
head 101
#Not interested in seeing broadcasts from other devices
block in quick on bge1 from any
to 10.206.6.255/32
group 101
block in quick on bge1 from any
to 169.254.255.255/32
group 101
block in quick on bge1 from any
to 255.255.255.255/32
group 101
#SSH inbound connections ---> shell1/shell2
pass in quick on bge1 proto tcp from
10.206.31.6/32 port > 512 to 10.206.6.9/32 port
= 22 flags S keep state group 101
pass in quick on bge1 proto tcp from
10.207.31.6/32 port > 512 to 10.206.6.9/32 port
= 22 flags S keep state group 101
#SSH inbound connections ---> netlog1/netlog2
pass in quick on bge1 proto tcp from
10.207.6.9/32 port > 512 to 10.206.6.9/32 port
= 22 flags S keep state group 101
#ICMP ping inbound
pass in quick on bge1 proto icmp from any
to 10.206.6.9/32 icmp
-type echo keep state group 101
#ICMP Time Exceeded (keep state)
pass in quick on bge1 proto icmp from any
to 10.206.6.9/32 icmp
-type timex keep state group 101
#ICMP Host Unreachable
pass in quick on bge1 proto icmp from any
to 10.206.6.9/32 icmp
-type unreach keep state group 101
#SNMP polling (UDP port 161) --> srvlog1/srvlog2 [NAGIOS/CACTI]
pass in quick on bge1 proto udp from
10.206.9.3/32 port > 1023 to 10.206.6.9/32 port
= 161 keep state group 101
pass in quick on bge1 proto udp from
10.207.9.3/32 port > 1023 to 10.206.6.9/32 port
= 161 keep state group 101
#-----------------------------------------------------------------------
-----------------------------
#NFS mount to NetApps (nfsd and portmapper) -- TX NetApp
#port 111
pass in quick on bge1 proto tcp from
10.206.6.5/32 to 10.206.6.9/32 port
= 111 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.9/32 port
= 111 keep state keep frags group 101
#port 2049
pass in quick on bge1 proto tcp from
10.206.6.5/32 to 10.206.6.9/32 port
= 2049 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.9/32 port
= 2049 keep state keep frags group 101
#ports (4045-4047)
pass in quick on bge1 proto tcp from
10.206.6.5/32 to 10.206.6.9/32 port
4044 >< 4048 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.9/32 port
4044 >< 4048 keep state keep frags group 101
#port 4049
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.9/32 port
= 4049 keep state keep frags group 101
#allow fragmentation (NFS) - TX NetApp
pass in quick on bge1 proto udp from
10.206.6.5/32 to 10.206.6.9/32
with frag group 101
#***************************************************************
#TEMPORARY UNTIL THE NETAPP at TX can be cutover to 10.206.6.5 *
#***************************************************************
#NFS mount to NetApps (nfsd and portmapper) -- TX NetApp
#port 111
pass in quick on bge1 proto tcp from
10.206.6.80/32 to 10.206.6.9/32 port
= 111 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.6.80/32 to 10.206.6.9/32 port
= 111 keep state keep frags group 101
#port 2049
pass in quick on bge1 proto tcp from
10.206.6.80/32 to 10.206.6.9/32 port
= 2049 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.6.80/32 to 10.206.6.9/32 port
= 2049 keep state keep frags group 101
#ports (4045-4047)
pass in quick on bge1 proto tcp from
10.206.6.80/32 to 10.206.6.9/32 port
4044 >< 4048 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.206.6.80/32 to 10.206.6.9/32 port
4044 >< 4048 keep state keep frags group 101
#port 4049
pass in quick on bge1 proto udp from
10.206.6.80/32 to 10.206.6.9/32 port
= 4049 keep state keep frags group 101
#allow fragmentation (NFS) - TX NetApp
pass in quick on bge1 proto udp from
10.206.6.80/32 to 10.206.6.9/32
with frag group 101
#**********************************************************************
#END OF TEMPORARY UNTIL THE NETAPP at TX can be cutover to 10.206.6.5 *
#**********************************************************************
#NFS mount to NetApps (nfsd and portmapper) -- TJ NetApp
#port 111
pass in quick on bge1 proto tcp from
10.207.6.5/32 to 10.206.6.9/32 port
= 111 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.9/32 port
= 111 keep state keep frags group 101
#port 2049
pass in quick on bge1 proto tcp from
10.207.6.5/32 to 10.206.6.9/32 port
= 2049 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.9/32 port
= 2049 keep state keep frags group 101
#ports (4045-4047)
pass in quick on bge1 proto tcp from
10.207.6.5/32 to 10.206.6.9/32 port
4044 >< 4048 flags S keep state keep frags group 101
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.9/32 port
4044 >< 4048 keep state keep frags group 101
#port 4049
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.9/32 port
= 4049 keep state keep frags group 101
#allow fragmentation (NFS) - TJ NetApp
pass in quick on bge1 proto udp from
10.207.6.5/32 to 10.206.6.9/32
with frag group 101
#-----------------------------------------------------------------------
-----------------------------
#HTTP to netlog servers ---> **IP PLAN/NETLOG WEB ACCESS** --> Allstream
Corporate VPN Toronto (10.1.7.0/24, 10.1.8.0/24)
pass in quick on bge1 proto tcp from
10.1.7.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
pass in quick on bge1 proto tcp from
10.1.8.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN/NETLOG WEB ACCESS** --> Allstream
Corporate VPN Calgary (10.1.9.0/24, 10.1.10.0/24)
pass in quick on bge1 proto tcp from
10.1.9.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
pass in quick on bge1 proto tcp from
10.1.10.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN/NETLOG WEB ACCESS** --> 438U
4th/5th Floor LAN (10.1.184.0/24,10.1.185.0/24)
pass in quick on bge1 proto tcp from
10.1.184.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
pass in quick on bge1 proto tcp from
10.1.185.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN/NETLOG WEB ACCESS** --> 370 King
Street LANs (159.18.15.0/24,159.18.18.0/24,159.18.19.0/24)
pass in quick on bge1 proto tcp from
159.18.15.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
pass in quick on bge1 proto tcp from
159.18.18.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
pass in quick on bge1 proto tcp from
159.18.19.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN/NETLOG WEB ACCESS** --> 151 Front
VLAN (159.18.135.0/24)
pass in quick on bge1 proto tcp from
159.18.135.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 205 5th Ave S.W. 4th
floor, Calgary (10.1.121.0/24)
pass in quick on bge1 proto tcp from
10.1.121.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 205 5th Ave S.W. 6th
floor, Calgary (10.1.123.0/24) [Kevin Van Der Veen]
pass in quick on bge1 proto tcp from
10.1.123.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 150 Laurier, 2nd
floor, Ottawa (10.1.147.0/24)
pass in quick on bge1 proto tcp from
10.1.147.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 255-5th Ave SW Ste
600, Customer Ops (10.1.201.0/24)
pass in quick on bge1 proto tcp from
10.1.201.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 123 Front Street
West, CTAC (10.18.64.0/24)
pass in quick on bge1 proto tcp from
10.18.64.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 715 5th Ave Calgary
(Serval Tower) (10.1.60.0/24)
pass in quick on bge1 proto tcp from
10.1.60.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 5160 Oribitor Drive
(10.1.169.0/24)
pass in quick on bge1 proto tcp from
10.1.169.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 5160 Oribitor Drive
(10.1.193.0/24)
pass in quick on bge1 proto tcp from
10.1.193.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 55 City Centre
(10.20.30.0/24)
pass in quick on bge1 proto tcp from
10.20.30.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 625 Belmont 6th
floor (10.1.111.0/24)
pass in quick on bge1 proto tcp from
10.1.111.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 625 Belmont 7th
floor (10.1.112.0/24)
pass in quick on bge1 proto tcp from
10.1.112.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> 175 Cordova, 4th
floor (10.1.248.0/24)
pass in quick on bge1 proto tcp from
10.1.248.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#
#
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> MTS VPN access
(10.207.3.128/27)
pass in quick on bge1 proto tcp from
10.207.3.128/27 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> **IP PLAN ACCESS** --> MTS access
(192.168.250.0/24)
pass in quick on bge1 proto tcp from
192.168.250.0/24 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#HTTP to netlog servers ---> srvlog1/srvlog2 [NAGIOS/CACTI]
pass in quick on bge1 proto tcp from
10.206.9.3/32 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
pass in quick on bge1 proto tcp from
10.207.9.3/32 port > 1023 to 10.206.6.9/32 port
= 80 flags S keep state group 101
#Syslog inbound (UDP port 514)
pass in log first quick on bge1 proto udp from any
port > 1023 to 10.206.6.9/32 port
= 514 keep state group 101
#mySQL database management and replication (port 3306) -->
netlog1/netlog2
pass in quick on bge1 proto tcp from
10.207.6.9/32 port > 1023 to 10.206.6.9/32 port
= 3306 flags S keep state group 101
#
#mySQL database management and replication (port 3306) --> mdb1
pass in quick on bge1 proto tcp from
10.206.10.20/32 port > 1023 to 10.206.6.9/32 port
= 3306 flags S keep state group 101
#mySQL database management and replication (port 3306) --> mdb2
pass in quick on bge1 proto tcp from
10.207.10.20/32 port > 1023 to 10.206.6.9/32 port
= 3306 flags S keep state group 101
#
#mySQL database management and replication (port 3306) --> srvlog1
pass in quick on bge1 proto tcp from
10.206.9.3/32 port > 1023 to 10.206.6.9/32 port
= 3306 flags S keep state group 101
#mySQL database management and replication (port 3306) --> srvlog2
pass in quick on bge1 proto tcp from
10.207.9.3/32 port > 1023 to 10.206.6.9/32 port
= 3306 flags S keep state group 101
#BLOCK ALL OTHER TRAFFIC INBOUND - bge1
block in log first quick on bge1 all
group 101
#OUTBOUND -- group 102
#---------------------
block out log quick on bge1 all
head 102
#SSH outbound connections --> netlog1/netlog2
pass out quick on bge1 proto tcp from
10.206.6.9/32 port > 512 to 10.207.6.9/32 port
= 22 flags S keep state group 102
#ICMP ping outbound
pass out quick on bge1 proto icmp from
10.206.6.9/32 to any icmp
-type echo keep state group 102
#ICMP Host Unreachable
pass out quick on bge1 proto icmp from
10.206.6.9/32 to any icmp
-type unreach keep state group 102
#ICMP Time Exceeded (keep state)
pass out quick on bge1 proto icmp from
10.206.6.9/32 to any icmp
-type timex keep state group 102
#SNMP TRAPS outbound (UDP port 162) ---> srvlog1/srvlog2 [NAGIOS/CACTI]
pass out quick on bge1 proto udp from
10.206.6.9/32 port > 1023 to 10.206.9.3/32 port
= 162 keep state group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 port > 1023 to 10.207.9.3/32 port
= 162 keep state group 102
#SNMP TRAPS outbound (UDP port 162) ---> cicproxytx/cicproxytj
pass out quick on bge1 proto udp from
10.206.6.9/32 port > 1023 to 10.206.7.17/32 port
= 162 keep state group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 port > 1023 to 10.207.7.17/32 port
= 162 keep state group 102
#SNMP TRAPS outbound (UDP port 162) ---> collector3/collector4
pass out quick on bge1 proto udp from
10.206.6.9/32 port > 1023 to 10.206.7.10/32 port
= 162 keep state group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 port > 1023 to 10.206.7.11/32 port
= 162 keep state group 102
#Syslog inbound (UDP port 514) -- server syslog centralization -->
srvlog1/srvlog2
pass out quick on bge1 proto udp from
10.206.6.9/32 port > 1023 to 10.206.9.4/32 port
= 514 keep state group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 port > 1023 to 10.207.9.3/32 port
= 514 keep state group 102
#SMTP outbound
pass out log first quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.206.6.6/32 port
= 25 flags S keep state group 102
pass out log first quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.207.6.6/32 port
= 25 flags S keep state group 102
#NTP outbound
pass out quick on bge1 proto udp from
10.206.6.9/32 port = 123 to 10.206.6.6/32 port
= 123 keep state group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 port = 123 to 10.207.6.6/32 port
= 123 keep state group 102
#DNS outbound ---> ns1/ns2 (requests)
pass out quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.206.6.11/32 port
= 53 flags S keep state group 102
pass out quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.206.6.11/32 port
= 53 keep state group 102
pass out quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.207.6.11/32 port
= 53 flags S keep state group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 port > 1023 to 10.207.6.11/32 port
= 53 keep state group 102
#-----------------------------------------------------------------------
-----------------------------
#NFS mount to NetApps (nfsd and portmapper) -- TX NetApp
#port 111
pass out quick on bge1 proto tcp from
10.206.6.9/32 to 10.206.6.5/32 port
= 111 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.5/32 port
= 111 keep state keep frags group 102
#port 2049
pass out quick on bge1 proto tcp from
10.206.6.9/32 to 10.206.6.5/32 port
= 2049 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.5/32 port
= 2049 keep state keep frags group 102
#ports (4045-4047)
pass out quick on bge1 proto tcp from
10.206.6.9/32 to 10.206.6.5/32 port
4044 >< 4048 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.5/32 port
4044 >< 4048 keep state keep frags group 102
#port 4049
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.5/32 port
= 4049 keep state keep frags group 102
#allow fragmentation (NFS) - TX NetApp
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.5/32
with frag group 102
#***************************************************************
#TEMPORARY UNTIL THE NETAPP at TX can be cutover to 10.206.6.5 *
#***************************************************************
#NFS mount to NetApps (nfsd and portmapper) -- TX NetApp
#port 111
pass out quick on bge1 proto tcp from
10.206.6.9/32 to 10.206.6.80/32 port
= 111 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.80/32 port
= 111 keep state keep frags group 102
#port 2049
pass out quick on bge1 proto tcp from
10.206.6.9/32 to 10.206.6.80/32 port
= 2049 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.80/32 port
= 2049 keep state keep frags group 102
#ports (4045-4047)
pass out quick on bge1 proto tcp from
10.206.6.9/32 to 10.206.6.80/32 port
4044 >< 4048 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.80/32 port
4044 >< 4048 keep state keep frags group 102
#port 4049
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.80/32 port
= 4049 keep state keep frags group 102
#allow fragmentation (NFS) - TX NetApp
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.206.6.80/32
with frag group 102
#**********************************************************************
#END OF TEMPORARY UNTIL THE NETAPP at TX can be cutover to 10.206.6.5 *
#**********************************************************************
#NFS mount to NetApps (nfsd and portmapper) -- TJ NetApp
#port 111
pass out quick on bge1 proto tcp from
10.206.6.9/32 to 10.207.6.5/32 port
= 111 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.207.6.5/32 port
= 111 keep state keep frags group 102
#port 2049
pass out quick on bge1 proto tcp from
10.206.6.9/32 to 10.207.6.5/32 port
= 2049 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.207.6.5/32 port
= 2049 keep state keep frags group 102
#ports (4045-4047)
pass out quick on bge1 proto tcp from
10.206.6.9/32 to 10.207.6.5/32 port
4044 >< 4048 flags S keep state keep frags group 102
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.207.6.5/32 port
4044 >< 4048 keep state keep frags group 102
#port 4049
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.207.6.5/32 port
= 4049 keep state keep frags group 102
#allow fragmentation (NFS) - TJ NetApp
pass out quick on bge1 proto udp from
10.206.6.9/32 to 10.207.6.5/32
with frag group 102
#-----------------------------------------------------------------------
-----------------------------
#mySQL database management and replication (port 3306) -->
netlog1/netlog2
pass out quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.207.6.9/32 port
= 3306 flags S keep state group 102
#
#mySQL database management and replication (port 3306) --> mdb1
pass out quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.206.10.20/32 port
= 3306 flags S keep state group 102
#mySQL database management and replication (port 3306) --> mdb2
pass out quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.207.10.20/32 port
= 3306 flags S keep state group 102
#
#mySQL database management and replication (port 3306) --> srvlog1
pass out quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.206.9.3/32 port
= 3306 flags S keep state group 102
#mySQL database management and replication (port 3306) --> srvlog2
pass out quick on bge1 proto tcp from
10.206.6.9/32 port > 1023 to 10.207.9.3/32 port
= 3306 flags S keep state group 102
#BLOCK ALL OTHER TRAFFIC OUTBOUND - bge1
block out log first quick on bge1 all
group 102
#-----------------------------------------------------------------------
-----------------------------------
##############################################################
# EXTERNAL INTERFACE - bge0 --> connection to public IDCnet #
##############################################################
#-----------------------------------------------------------------------
-----------------------------------
#INBOUND -- group 201
#--------------------
block in log quick on bge0 all
head 201
#Not interested in seeing broadcasts from other devices
block in quick on bge0 from any
to 169.254.255.255/32
group 201
block in quick on bge0 from any
to AAA.BBB.CCC.127/32
group 201
block in quick on bge0 from any
to AAA.BBB.CCC.255/32
group 201
block in quick on bge0 from any
to 255.255.255.255/32
group 201
#ICMP Time Exceeded (keep state)
pass in quick on bge0 proto icmp from any
to AAA.BBB.CCC.9/32 icmp
-type timex keep state group 201
#ICMP Unreachable/Admin Prohibit (keep state)
pass in quick on bge0 proto icmp from any
to AAA.BBB.CCC.9/32 icmp
-type unreach keep state group 201
#Syslog inbound (UDP port 514)
pass in quick on bge0 proto udp from pool/100
port > 1023 to AAA.BBB.CCC.9/32 port
= 514 keep state group 201
#BLOCK ALL OTHER TRAFFIC INBOUND - bge0
block in log first quick on bge0 all
group 201
#OUTBOUND -- group 202
#---------------------
block out log quick on bge0 all
head 202
#ICMP ping outbound (keep state)
pass out quick on bge0 proto icmp from
AAA.BBB.CCC.9/32 to any icmp
-type echo keep state group 202
#ICMP Masq Request (keep state)
pass out quick on bge0 proto icmp from
AAA.BBB.CCC.9/32 to any icmp
-type maskreq keep state group 202
#ICMP Host Unreachable
pass out quick on bge0 proto icmp from
AAA.BBB.CCC.9/32 to any icmp
-type unreach keep state group 202
#BLOCK ALL OTHER TRAFFIC OUTBOUND - bge0
block out log first quick on bge0 all
group 202
#-----------------------------------------------------------------------
-----------------------------------
[EMAIL PROTECTED]
------------------------------------------------------------------------
Brian Olmsted, B.Sc
Sr. Technical Specialist Office: 416-644-7406
IP Edge Technology Fax: 416-640-9303
MTS Allstream Inc. Mobile: 647-321-5556
438 University Avenue, 412D Pager: [EMAIL PROTECTED]
Toronto, ON Canada M5G 2K8 Email: [EMAIL PROTECTED]
------------------------------------------------------------------------
